Privacy risks going viral

March 2020 will go down in history as a pivotal time for humanity. Healthcare, economics, politics, law enforcement and so much more will be looked through the lens of COVID-19.

Privacy has been discussed extensively in the last few weeks. Privacy and Data Protection authorities around the globe have made statements about the management of personal data during this pandemic (see the statement form the European Data Protection Board here and the Canada Office of the Privacy Commissioner here) .

Effective decision-making depends on data and we, as individuals, are the greatest creators of this data. We create such critical data with every step and every breath we take and, in this way, we contribute to the process of getting closer to managing and understanding the pandemic. The use of personal data by scientists, public health officials, governments and businesses allows everyone of them to understand better where we are at, where we are going and how to get to where we want to be in the best way possible. However, the level of personal data that is being collected right now, even if it is totally justified, still needs to be protected and managed in the most appropriate manner.

The topic of privacy has really taken off lately. Between authorities guidance and concerns from respected privacy professionals, we are really stepping into unchartered territories. It is evident that this information is critically needed but the concerns that resonate with me are A. for how long? B. how detailed? And C. for what purposes?

Is surveillance at this level going to be the “new normal”? How are public and private organizations going to justify it? What powers, as individuals, will we have to keep them accountable? I am fully committed to participating now for the collective good. But when the collective good is taken care of, what then? Do I want my employer to keep close tabs on my location and my health forever, “just in case”?

Tools like TraceTogether launched in Singapore, where Bluetooth signals are exchanged between phones to see if anyone that has tested positive comes in contact with other people and then having this information going to the government as well. While this may help flatten the curve of coronavirus cases, it is certainly unnerving for some people to be monitored 24/7, even if others want to take action and do whatever is necessary to control this crisis.

Governments around the globe have been given a perfect opportunity to exercise control over their citizens that would not have been looked upon kindly before. And once these governments use tracking technologies as openly as they are doing right now, this may become the norm even after things go back to normal. Governments could keep using these technologies even after this legitimate use dies out.

What to do then? How to prepare as governments, businesses and individuals to ensure that the personal information that is been collected is legitimate, necessary, minimized and used for the purpose that it was required and nothing else? And how do we, as a society, wind this down once the threat is contained to ensure that human rights are not abused?

Governments and businesses have the fiduciary responsibility to continue abiding by Privacy and Personal Data Protection Regulations around the globe. Even if they are collecting, using and disclosing personal data for reasons of public health – and sensitive personal data more than even before – they still need to ensure that there are safeguards in place, that they know who has access to what data and that the timeframe for use of this information is clearly delimited, so that when it is no longer needed, it can be securely disposed of.

What can be done to ensure that personal data is protected, used for the right purposes and the privacy of individuals not abused? Some thoughts that come to mind include:

Document, document, document. Ensure that your organization knows what personal data is being used for the purpose of the pandemic so that when things go back to a level of normalcy, you can determine whether it is still necessary to use this information.

Be transparent. Let your customers, employees and any other stakeholders know in advance what personal data you require and for what purpose. For instance, if you need to monitor the health status of your employees if they need to be with other employees or if you need to advise other individuals if someone has tested positive or if you need to share their personal information with authorities.

Always abide by the regulations. Whether it is HIPAA, GDPR or any other regulation around the world, ensure that the personal data that you are collecting in the context of the pandemic abides by the requirements of the Privacy Regulations the organization needs to comply with.

Ensure that your security and privacy practices are still followed even with a remote workforce. Remind everyone that the rules still apply and that more than ever, they have an individual responsibility to safeguard personal data.

Life is changing rapidly. Technology, more that ever, is taking hold in society in order to maintain as much of the economy and our normal life as possible and technology is enabling a lot of organizations to continue moving forward even in these difficult times. But technology, if not in check, can still be a vehicle for privacy abuse if we allow it.

Let’s focus on being safe in both our physical and virtual environments. And let’s keep our governments and authorities accountable about how they use our personal data for the greater good. Let’s reclaim our lives as they once were and also reclaim our rights as individuals to a private life.